Edit tour

Linux Analysis Report
H9NSZqE1YV

Overview

General Information

Sample Name:	H9NSZqE1YV
Analysis ID:	679633
MD5:	58836131abfd4884cee3a45e82344236
SHA1:	99834e69d8788d276f63ee5968256cb84d3dc1c4
SHA256:	75197b35b16d2668bf3c9437ac9e29f2287db5b1f0839acc4f6dbcf7bca02ae2
Tags:	32elfmiraipowerpc
Infos:

Detection

Mirai

Score:	76
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Yara detected Mirai

Multi AV Scanner detection for submitted file

Uses known network protocols on non-standard ports

Sample has stripped symbol table

Uses the "uname" system call to query kernel version information (possible evasion)

Enumerates processes within the "proc" file system

Detected TCP or UDP traffic on non-standard ports

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might not execute correctly on this machine.

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	679633
Start date and time: 06/08/202207:40:13	2022-08-06 07:40:13 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 38s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	H9NSZqE1YV
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Detection:	MAL
Classification:	mal76.troj.lin@0/0@42/0

Warnings

Report size exceeded maximum capacity and may have missing network information.
TCP Packets have been reduced to 100

Runtime Messages

Command:	/tmp/H9NSZqE1YV
PID:	6232
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	Connected To CNC
Standard Error:

Process Tree

system is lnxubuntu20

H9NSZqE1YV (PID: 6232, Parent: 6124, MD5: ae65271c943d3451b7f026d1fadccea6) Arguments: /tmp/H9NSZqE1YV

H9NSZqE1YV New Fork (PID: 6234, Parent: 6232)

H9NSZqE1YV New Fork (PID: 6235, Parent: 6232)

H9NSZqE1YV New Fork (PID: 6237, Parent: 6232)

H9NSZqE1YV New Fork (PID: 6239, Parent: 6232)

H9NSZqE1YV New Fork (PID: 6242, Parent: 6239)

H9NSZqE1YV New Fork (PID: 6331, Parent: 6242)

H9NSZqE1YV New Fork (PID: 6244, Parent: 6239)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
H9NSZqE1YV	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Mirai_12	Yara detected Mirai	Joe Security

Memory Dumps

Source	Rule	Description	Author
6232.1.00007fc154001000.00007fc154016000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6331.1.00007fc154001000.00007fc154016000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6244.1.00007fc154001000.00007fc154016000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: H9NSZqE1YV

Avira: detected

Multi AV Scanner detection for submitted file

Source: H9NSZqE1YV	Virustotal: Detection: 50%	Perma Link
Source: H9NSZqE1YV	Metadefender: Detection: 31%	Perma Link
Source: H9NSZqE1YV	ReversingLabs: Detection: 61%

Networking

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38848
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38856
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38874
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38876
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38878
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38888
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38892
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38894
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38896
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38900

Source: global traffic	TCP traffic: 192.168.2.23:49684 -> 189.236.48.74:7547
Source: global traffic	TCP traffic: 192.168.2.23:33416 -> 112.170.93.137:7547
Source: global traffic	TCP traffic: 192.168.2.23:53436 -> 46.23.109.40:1312

Source: /tmp/H9NSZqE1YV (PID: 6232)	Socket: 127.0.0.1::1312
Source: /tmp/H9NSZqE1YV (PID: 6242)	Socket: 0.0.0.0::0
Source: /tmp/H9NSZqE1YV (PID: 6242)	Socket: 0.0.0.0::23
Source: /tmp/H9NSZqE1YV (PID: 6242)	Socket: 0.0.0.0::53413
Source: /tmp/H9NSZqE1YV (PID: 6242)	Socket: 0.0.0.0::80
Source: /tmp/H9NSZqE1YV (PID: 6242)	Socket: 0.0.0.0::52869
Source: /tmp/H9NSZqE1YV (PID: 6242)	Socket: 0.0.0.0::37215

Source: unknown

DNS traffic detected: queries for: arcticboatz.cz

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 2808
Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 189.236.48.74
Source: unknown	TCP traffic detected without corresponding DNS query: 112.170.93.137
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 189.236.48.74
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 158.209.73.34
Source: unknown	TCP traffic detected without corresponding DNS query: 79.230.189.239
Source: unknown	TCP traffic detected without corresponding DNS query: 40.71.205.34
Source: unknown	TCP traffic detected without corresponding DNS query: 255.240.206.49
Source: unknown	TCP traffic detected without corresponding DNS query: 146.74.47.18
Source: unknown	TCP traffic detected without corresponding DNS query: 78.218.165.73
Source: unknown	TCP traffic detected without corresponding DNS query: 244.16.155.19
Source: unknown	TCP traffic detected without corresponding DNS query: 129.8.7.47
Source: unknown	TCP traffic detected without corresponding DNS query: 216.253.109.206
Source: unknown	TCP traffic detected without corresponding DNS query: 44.139.232.96
Source: unknown	TCP traffic detected without corresponding DNS query: 23.21.46.22
Source: unknown	TCP traffic detected without corresponding DNS query: 191.197.164.163
Source: unknown	TCP traffic detected without corresponding DNS query: 126.178.56.153
Source: unknown	TCP traffic detected without corresponding DNS query: 117.53.114.23
Source: unknown	TCP traffic detected without corresponding DNS query: 173.7.147.254
Source: unknown	TCP traffic detected without corresponding DNS query: 170.51.199.30
Source: unknown	TCP traffic detected without corresponding DNS query: 206.243.187.98
Source: unknown	TCP traffic detected without corresponding DNS query: 9.38.164.129
Source: unknown	TCP traffic detected without corresponding DNS query: 75.86.70.161
Source: unknown	TCP traffic detected without corresponding DNS query: 57.243.157.111
Source: unknown	TCP traffic detected without corresponding DNS query: 31.205.83.49
Source: unknown	TCP traffic detected without corresponding DNS query: 142.105.20.237
Source: unknown	TCP traffic detected without corresponding DNS query: 12.120.176.124
Source: unknown	TCP traffic detected without corresponding DNS query: 79.49.199.46
Source: unknown	TCP traffic detected without corresponding DNS query: 59.62.201.167
Source: unknown	TCP traffic detected without corresponding DNS query: 246.239.56.178
Source: unknown	TCP traffic detected without corresponding DNS query: 17.240.180.52
Source: unknown	TCP traffic detected without corresponding DNS query: 206.46.174.77
Source: unknown	TCP traffic detected without corresponding DNS query: 92.35.25.14
Source: unknown	TCP traffic detected without corresponding DNS query: 155.65.48.135
Source: unknown	TCP traffic detected without corresponding DNS query: 9.152.178.21
Source: unknown	TCP traffic detected without corresponding DNS query: 18.32.189.2
Source: unknown	TCP traffic detected without corresponding DNS query: 192.8.195.30
Source: unknown	TCP traffic detected without corresponding DNS query: 242.39.196.246
Source: unknown	TCP traffic detected without corresponding DNS query: 126.101.119.208
Source: unknown	TCP traffic detected without corresponding DNS query: 154.238.65.57
Source: unknown	TCP traffic detected without corresponding DNS query: 250.83.50.223
Source: unknown	TCP traffic detected without corresponding DNS query: 141.191.30.241
Source: unknown	TCP traffic detected without corresponding DNS query: 177.61.206.106
Source: unknown	TCP traffic detected without corresponding DNS query: 126.231.7.36
Source: unknown	TCP traffic detected without corresponding DNS query: 222.21.186.251
Source: unknown	TCP traffic detected without corresponding DNS query: 166.252.138.130
Source: unknown	TCP traffic detected without corresponding DNS query: 98.238.12.183
Source: unknown	TCP traffic detected without corresponding DNS query: 95.108.120.160
Source: unknown	TCP traffic detected without corresponding DNS query: 240.255.179.116

Source: ELF static info symbol of initial sample

.symtab present: no

Source: /tmp/H9NSZqE1YV (PID: 6242)

SIGKILL sent: pid: 936, result: successful

Source: Initial sample	String containing 'busybox' found: /bin/busybox AK1K2
Source: Initial sample	String containing 'busybox' found: /bin/busybox cp /bin/busybox retrieve && >retrieve && /bin/busybox chmod 777 retrieve && /bin/busybox cp /bin/busybox .t && >.t && /bin/busybox chmod 777 .t
Source: Initial sample	String containing 'busybox' found: /bin/busybox echo -en '%s' %s %s && /bin/busybox echo -en '\x45\x43\x48\x4f\x44\x4f\x4e\x45'
Source: Initial sample	String containing 'busybox' found: >%st && cd %s && >retrieve; >.t/bin/busybox cp /bin/busybox retrieve && >retrieve && /bin/busybox chmod 777 retrieve && /bin/busybox cp /bin/busybox .t && >.t && /bin/busybox chmod 777 .t
Source: Initial sample	String containing 'busybox' found: >>>/bin/busybox echo -en '%s' %s %s && /bin/busybox echo -en '\x45\x43\x48\x4f\x44\x4f\x4e\x45'

Source: classification engine

Classification label: mal76.troj.lin@0/0@42/0

Source: /tmp/H9NSZqE1YV (PID: 6242)	File opened: /proc/491/fd
Source: /tmp/H9NSZqE1YV (PID: 6242)	File opened: /proc/793/fd
Source: /tmp/H9NSZqE1YV (PID: 6242)	File opened: /proc/772/fd
Source: /tmp/H9NSZqE1YV (PID: 6242)	File opened: /proc/796/fd
Source: /tmp/H9NSZqE1YV (PID: 6242)	File opened: /proc/774/fd
Source: /tmp/H9NSZqE1YV (PID: 6242)	File opened: /proc/797/fd
Source: /tmp/H9NSZqE1YV (PID: 6242)	File opened: /proc/777/fd
Source: /tmp/H9NSZqE1YV (PID: 6242)	File opened: /proc/799/fd
Source: /tmp/H9NSZqE1YV (PID: 6242)	File opened: /proc/658/fd
Source: /tmp/H9NSZqE1YV (PID: 6242)	File opened: /proc/912/fd
Source: /tmp/H9NSZqE1YV (PID: 6242)	File opened: /proc/759/fd
Source: /tmp/H9NSZqE1YV (PID: 6242)	File opened: /proc/936/fd
Source: /tmp/H9NSZqE1YV (PID: 6242)	File opened: /proc/918/fd
Source: /tmp/H9NSZqE1YV (PID: 6242)	File opened: /proc/1/fd
Source: /tmp/H9NSZqE1YV (PID: 6242)	File opened: /proc/761/fd
Source: /tmp/H9NSZqE1YV (PID: 6242)	File opened: /proc/785/fd
Source: /tmp/H9NSZqE1YV (PID: 6242)	File opened: /proc/884/fd
Source: /tmp/H9NSZqE1YV (PID: 6242)	File opened: /proc/720/fd
Source: /tmp/H9NSZqE1YV (PID: 6242)	File opened: /proc/721/fd
Source: /tmp/H9NSZqE1YV (PID: 6242)	File opened: /proc/788/fd
Source: /tmp/H9NSZqE1YV (PID: 6242)	File opened: /proc/789/fd
Source: /tmp/H9NSZqE1YV (PID: 6242)	File opened: /proc/800/fd
Source: /tmp/H9NSZqE1YV (PID: 6242)	File opened: /proc/801/fd
Source: /tmp/H9NSZqE1YV (PID: 6242)	File opened: /proc/847/fd
Source: /tmp/H9NSZqE1YV (PID: 6242)	File opened: /proc/904/fd

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38848
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38856
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38874
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38876
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38878
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38888
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38892
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38894
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38896
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 38900

Source: /tmp/H9NSZqE1YV (PID: 6232)

Queries kernel information via 'uname':

Source: H9NSZqE1YV, 6232.1.000055d88c945000.000055d88c9f5000.rw-.sdmp	Binary or memory string: !/etc/qemu-binfmt/ppc11!hotpluggableq
Source: H9NSZqE1YV, 6331.1.000055d88c945000.000055d88c9f5000.rw-.sdmp, H9NSZqE1YV, 6244.1.000055d88c945000.000055d88c9f5000.rw-.sdmp	Binary or memory string: !/etc/qemu-binfmt/ppc1
Source: H9NSZqE1YV, 6232.1.000055d88c945000.000055d88c9f5000.rw-.sdmp, H9NSZqE1YV, 6331.1.000055d88c945000.000055d88c9f5000.rw-.sdmp, H9NSZqE1YV, 6244.1.000055d88c945000.000055d88c9f5000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/ppc
Source: H9NSZqE1YV, 6232.1.00007ffd979ef000.00007ffd97a10000.rw-.sdmp, H9NSZqE1YV, 6331.1.00007ffd979ef000.00007ffd97a10000.rw-.sdmp, H9NSZqE1YV, 6244.1.00007ffd979ef000.00007ffd97a10000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-ppc/tmp/H9NSZqE1YVSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/H9NSZqE1YV
Source: H9NSZqE1YV, 6232.1.00007ffd979ef000.00007ffd97a10000.rw-.sdmp, H9NSZqE1YV, 6331.1.00007ffd979ef000.00007ffd97a10000.rw-.sdmp, H9NSZqE1YV, 6244.1.00007ffd979ef000.00007ffd97a10000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-ppc

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: H9NSZqE1YV, type: SAMPLE
Source: Yara match	File source: 6232.1.00007fc154001000.00007fc154016000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6331.1.00007fc154001000.00007fc154016000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6244.1.00007fc154001000.00007fc154016000.r-x.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: H9NSZqE1YV, type: SAMPLE
Source: Yara match	File source: 6232.1.00007fc154001000.00007fc154016000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6331.1.00007fc154001000.00007fc154016000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6244.1.00007fc154001000.00007fc154016000.r-x.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Direct Volume Access	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	11 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	2 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
H9NSZqE1YV	50%	Virustotal		Browse
H9NSZqE1YV	31%	Metadefender		Browse
H9NSZqE1YV	62%	ReversingLabs	Linux.Trojan.Mirai
H9NSZqE1YV	100%	Avira	LINUX/Mirai.ywooj

Dropped Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
arcticboatz.cz	12%	Virustotal		Browse

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
arcticboatz.cz	46.23.109.40	true	true	12%, Virustotal, Browse	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
155.109.221.154	unknown	United States	10273	FPLUS	false
181.135.48.207	unknown	Colombia	13489	EPMTelecomunicacionesSAESPCO	false
14.165.112.96	unknown	Viet Nam	45899	VNPT-AS-VNVNPTCorpVN	false
220.110.11.185	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
118.48.135.48	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
223.89.203.166	unknown	China	24445	CMNET-V4HENAN-AS-APHenanMobileCommunicationsCoLtdCN	false
85.156.76.78	unknown	Finland	719	ELISA-ASHelsinkiFinlandEU	false
152.173.70.221	unknown	Chile	7418	TELEFONICACHILESACL	false
218.158.128.63	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
62.201.85.237	unknown	Hungary	5483	MAGYAR-TELEKOM-MAIN-ASMagyarTelekomNyrtHU	false
17.62.173.148	unknown	United States	714	APPLE-ENGINEERINGUS	false
5.70.23.230	unknown	United Kingdom	5607	BSKYB-BROADBAND-ASGB	false
146.219.29.46	unknown	Spain	16153	SCS-ASES	false
247.47.97.152	unknown	Reserved	unknown	unknown	false
194.130.165.150	unknown	United Kingdom	702	UUNETUS	false
179.67.232.125	unknown	Brazil	7738	TelemarNorteLesteSABR	false
46.81.13.66	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
78.133.68.230	unknown	Malta	15735	DATASTREAM-NETMT	false
195.37.15.177	unknown	Germany	680	DFNVereinzurFoerderungeinesDeutschenForschungsnetzese	false
16.116.70.80	unknown	United States	unknown	unknown	false
93.213.34.200	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
156.104.246.46	unknown	United States	393504	XNSTGCA	false
241.154.209.12	unknown	Reserved	unknown	unknown	false
57.180.31.231	unknown	Belgium	2686	ATGS-MMD-ASUS	false
63.48.170.89	unknown	United States	701	UUNETUS	false
148.219.15.211	unknown	Mexico	8151	UninetSAdeCVMX	false
65.0.13.224	unknown	United States	16509	AMAZON-02US	false
190.143.63.123	unknown	Colombia	10620	TelmexColombiaSACO	false
19.247.181.236	unknown	United States	3	MIT-GATEWAYSUS	false
246.157.85.58	unknown	Reserved	unknown	unknown	false
116.118.24.28	unknown	Viet Nam	7602	SPT-AS-VNSaigonPostelCorporationVN	false
70.57.248.164	unknown	United States	209	CENTURYLINK-US-LEGACY-QWESTUS	false
110.153.118.192	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
176.224.224.196	unknown	Saudi Arabia	35819	MOBILY-ASEtihadEtisalatCompanyMobilySA	false
175.182.19.79	unknown	Taiwan; Republic of China (ROC)	4780	SEEDNETDigitalUnitedIncTW	false
78.123.223.255	unknown	France	8228	CEGETEL-ASFR	false
74.245.253.55	unknown	United States	7018	ATT-INTERNET4US	false
168.219.183.244	unknown	Korea Republic of	6619	SAMSUNGSDS-AS-KRSamsungSDSIncKR	false
133.121.206.53	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
208.217.184.119	unknown	United States	701	UUNETUS	false
118.149.102.179	unknown	New Zealand	23655	SNAP-NZ-ASSnapInternetLimitedNZ	false
243.157.27.5	unknown	Reserved	unknown	unknown	false
115.247.124.226	unknown	India	55836	RELIANCEJIO-INRelianceJioInfocommLimitedIN	false
70.53.130.250	unknown	Canada	577	BACOMCA	false
101.230.221.215	unknown	China	4812	CHINANET-SH-APChinaTelecomGroupCN	false
64.230.113.77	unknown	Canada	577	BACOMCA	false
54.120.7.252	unknown	United States	16509	AMAZON-02US	false
88.144.103.27	unknown	United Kingdom	12708	ONETEL-ASTalkTalkCommunicationsLimitedGB	false
202.147.239.4	unknown	Indonesia	18156	BITNET-ID-APBITNETISPASID	false
222.226.32.24	unknown	Japan	2516	KDDIKDDICORPORATIONJP	false
133.238.136.184	unknown	Japan	2497	IIJInternetInitiativeJapanIncJP	false
171.129.35.104	unknown	United States	9874	STARHUB-MOBILEStarHubLtdSG	false
255.229.26.40	unknown	Reserved	unknown	unknown	false
111.160.230.225	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
252.233.82.244	unknown	Reserved	unknown	unknown	false
248.16.28.150	unknown	Reserved	unknown	unknown	false
59.44.8.235	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
158.54.95.144	unknown	Australia	11757	WHIRLPOOL-ASNUS	false
132.1.35.245	unknown	United States	385	AFCONC-BLOCK1-ASUS	false
5.112.38.239	unknown	Iran (ISLAMIC Republic Of)	44244	IRANCELL-ASIR	false
146.0.120.110	unknown	Germany	16097	HLKOMM04107LeipzigDE	false
246.229.188.175	unknown	Reserved	unknown	unknown	false
156.58.199.215	unknown	Austria	199083	MP-ASAT	false
255.96.63.163	unknown	Reserved	unknown	unknown	false
76.221.46.250	unknown	United States	7018	ATT-INTERNET4US	false
177.10.52.215	unknown	Brazil	53232	BannerServicosdeTelecomeInternetLtdaBR	false
169.178.222.46	unknown	United States	37611	AfrihostZA	false
109.129.79.187	unknown	Belgium	5432	PROXIMUS-ISP-ASBE	false
83.13.177.41	unknown	Poland	5617	TPNETPL	false
253.113.190.193	unknown	Reserved	unknown	unknown	false
40.132.109.158	unknown	United States	7029	WINDSTREAMUS	false
146.39.178.162	unknown	United States	197938	TRAVIANGAMESDE	false
184.38.86.27	unknown	United States	5778	CENTURYLINK-LEGACY-EMBARQ-RCMTUS	false
99.223.182.92	unknown	Canada	812	ROGERS-COMMUNICATIONSCA	false
41.179.108.50	unknown	Egypt	24863	LINKdotNET-ASEG	false
62.135.4.212	unknown	Egypt	24863	LINKdotNET-ASEG	false
249.239.255.162	unknown	Reserved	unknown	unknown	false
179.228.187.230	unknown	Brazil	27699	TELEFONICABRASILSABR	false
85.134.195.246	unknown	Ireland	24751	MULTIFI-ASFI	false
190.207.250.245	unknown	Venezuela	8048	CANTVServiciosVenezuelaVE	false
182.116.28.224	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
251.134.38.124	unknown	Reserved	unknown	unknown	false
9.254.40.126	unknown	United States	3356	LEVEL3US	false
120.195.48.62	unknown	China	56046	CMNET-JIANGSU-APChinaMobilecommunicationscorporationCN	false
124.182.10.211	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	false
93.140.61.197	unknown	Croatia (LOCAL Name: Hrvatska)	5391	T-HTCroatianTelecomIncHR	false
173.5.70.42	unknown	United States	10507	SPCSUS	false
86.172.120.247	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	false
197.129.211.25	unknown	Morocco	6713	IAM-ASMA	false
46.153.18.240	unknown	Saudi Arabia	35819	MOBILY-ASEtihadEtisalatCompanyMobilySA	false
61.210.62.8	unknown	Japan	2510	INFOWEBFUJITSULIMITEDJP	false
85.244.28.223	unknown	Portugal	3243	MEO-RESIDENCIALPT	false
152.237.114.197	unknown	Brazil	7738	TelemarNorteLesteSABR	false
251.172.40.214	unknown	Reserved	unknown	unknown	false
205.201.209.63	unknown	United States	6653	FORETHOUGHTNETUS	false
68.254.240.31	unknown	United States	7018	ATT-INTERNET4US	false
77.121.20.57	unknown	Ukraine	25229	VOLIA-ASUA	false
240.5.72.95	unknown	Reserved	unknown	unknown	false
184.225.78.253	unknown	United States	10507	SPCSUS	false
147.202.174.64	unknown	United States	19149	TEAMTECH-DSMUS	false

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.326713846296607
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	H9NSZqE1YV
File size:	87104
MD5:	58836131abfd4884cee3a45e82344236
SHA1:	99834e69d8788d276f63ee5968256cb84d3dc1c4
SHA256:	75197b35b16d2668bf3c9437ac9e29f2287db5b1f0839acc4f6dbcf7bca02ae2
SHA512:	1be5bcee9ef566a1300adf0e16d464dfd605ce09dc05a828733477c01370d8c261ef9beaffec24ba270cd68bba8f1cbb47c564fb50701a337d2e1bf45ad2f012
SSDEEP:	1536:npY0t1K/BFgpPidJ+bWxGcRy1A8dF67dGhY8CpSw5NJYPpo:oBFaPidI58mFtYZSubgpo
TLSH:	CC835C02B318094BF5E61DF0393F1BE193AFE98020F0B6C9690EE7499276E725546FD9
File Content Preview:	.ELF...........................4..R`.....4. ...(......................J...J...............J...J...J.......3 ........dt.Q.............................!..\|......$H...H.(5...$8!. \|...N.. .!..\|.......?.........R...../...@..\?.....K..+../...A..$8...})....K.N..

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, big endian
Version:	1 (current)
Machine:	PowerPC
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x100001f0
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	86624
Section Header Size:	40
Number of Section Headers:	12
Header String Table Index:	11

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x10000094	0x94	0x24	0x0	0x6	AX	4
.text	PROGBITS	0x100000b8	0xb8	0x1288c	0x0	0x6	AX	4
.fini	PROGBITS	0x10012944	0x12944	0x20	0x0	0x6	AX	4
.rodata	PROGBITS	0x10012968	0x12968	0x2190	0x0	0x2	A	8
.ctors	PROGBITS	0x10024afc	0x14afc	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x10024b04	0x14b04	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x10024b10	0x14b10	0x6b8	0x0	0x3	WA	8
.sdata	PROGBITS	0x100251c8	0x151c8	0x4c	0x0	0x3	WA	4
.sbss	NOBITS	0x10025214	0x15214	0x90	0x0	0x3	WA	4
.bss	NOBITS	0x100252a4	0x15214	0x2b78	0x0	0x3	WA	4
.shstrtab	STRTAB	0x0	0x15214	0x4b	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x10000000	0x10000000	0x14af8	0x14af8	6.3516	0x5	R E	0x10000	.init .text .fini .rodata
LOAD	0x14afc	0x10024afc	0x10024afc	0x718	0x3320	4.4934	0x6	RW	0x10000	.ctors .dtors .data .sdata .sbss .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 6, 2022 07:40:59.193033934 CEST	7547	49684	189.236.48.74	192.168.2.23
Aug 6, 2022 07:40:59.193345070 CEST	49684	7547	192.168.2.23	189.236.48.74
Aug 6, 2022 07:40:59.400290966 CEST	7547	33416	112.170.93.137	192.168.2.23
Aug 6, 2022 07:40:59.400446892 CEST	33416	7547	192.168.2.23	112.170.93.137
Aug 6, 2022 07:41:00.162621975 CEST	42836	443	192.168.2.23	91.189.91.43
Aug 6, 2022 07:41:00.196702003 CEST	7547	49716	189.236.48.74	192.168.2.23
Aug 6, 2022 07:41:00.196880102 CEST	49716	7547	192.168.2.23	189.236.48.74
Aug 6, 2022 07:41:00.930406094 CEST	42516	80	192.168.2.23	109.202.202.202
Aug 6, 2022 07:41:01.099153042 CEST	19829	23	192.168.2.23	158.209.73.34
Aug 6, 2022 07:41:01.099175930 CEST	19829	23	192.168.2.23	79.230.189.239
Aug 6, 2022 07:41:01.099219084 CEST	19829	23	192.168.2.23	40.71.205.34
Aug 6, 2022 07:41:01.099277020 CEST	19829	23	192.168.2.23	255.240.206.49
Aug 6, 2022 07:41:01.099286079 CEST	19829	23	192.168.2.23	146.74.47.18
Aug 6, 2022 07:41:01.099335909 CEST	19829	23	192.168.2.23	78.218.165.73
Aug 6, 2022 07:41:01.099375963 CEST	19829	23	192.168.2.23	244.16.155.19
Aug 6, 2022 07:41:01.099416971 CEST	19829	23	192.168.2.23	129.8.7.47
Aug 6, 2022 07:41:01.099425077 CEST	19829	23	192.168.2.23	216.253.109.206
Aug 6, 2022 07:41:01.099432945 CEST	19829	23	192.168.2.23	44.139.232.96
Aug 6, 2022 07:41:01.099443913 CEST	19829	23	192.168.2.23	23.21.46.22
Aug 6, 2022 07:41:01.099562883 CEST	19829	23	192.168.2.23	191.197.164.163
Aug 6, 2022 07:41:01.099611998 CEST	19829	23	192.168.2.23	126.178.56.153
Aug 6, 2022 07:41:01.099622011 CEST	19829	23	192.168.2.23	117.53.114.23
Aug 6, 2022 07:41:01.099623919 CEST	19829	23	192.168.2.23	173.7.147.254
Aug 6, 2022 07:41:01.100465059 CEST	19829	23	192.168.2.23	170.51.199.30
Aug 6, 2022 07:41:01.103271008 CEST	19829	23	192.168.2.23	206.243.187.98
Aug 6, 2022 07:41:01.103282928 CEST	19829	23	192.168.2.23	9.38.164.129
Aug 6, 2022 07:41:01.103316069 CEST	19829	23	192.168.2.23	75.86.70.161
Aug 6, 2022 07:41:01.103393078 CEST	19829	23	192.168.2.23	57.243.157.111
Aug 6, 2022 07:41:01.103558064 CEST	19829	23	192.168.2.23	31.205.83.49
Aug 6, 2022 07:41:01.103588104 CEST	19829	23	192.168.2.23	142.105.20.237
Aug 6, 2022 07:41:01.103605986 CEST	19829	23	192.168.2.23	12.120.176.124
Aug 6, 2022 07:41:01.103615046 CEST	19829	23	192.168.2.23	79.49.199.46
Aug 6, 2022 07:41:01.103622913 CEST	19829	23	192.168.2.23	59.62.201.167
Aug 6, 2022 07:41:01.103622913 CEST	19829	23	192.168.2.23	246.239.56.178
Aug 6, 2022 07:41:01.103648901 CEST	19829	23	192.168.2.23	17.240.180.52
Aug 6, 2022 07:41:01.103651047 CEST	19829	23	192.168.2.23	155.58.10.138
Aug 6, 2022 07:41:01.103686094 CEST	19829	23	192.168.2.23	206.46.174.77
Aug 6, 2022 07:41:01.103693008 CEST	19829	23	192.168.2.23	92.35.25.14
Aug 6, 2022 07:41:01.103718042 CEST	19829	23	192.168.2.23	155.65.48.135
Aug 6, 2022 07:41:01.103743076 CEST	19829	23	192.168.2.23	9.152.178.21
Aug 6, 2022 07:41:01.103754997 CEST	19829	23	192.168.2.23	18.32.189.2
Aug 6, 2022 07:41:01.103779078 CEST	19829	23	192.168.2.23	192.8.195.30
Aug 6, 2022 07:41:01.103782892 CEST	19829	23	192.168.2.23	242.39.196.246
Aug 6, 2022 07:41:01.103799105 CEST	19829	23	192.168.2.23	126.101.119.208
Aug 6, 2022 07:41:01.103804111 CEST	19829	23	192.168.2.23	154.238.65.57
Aug 6, 2022 07:41:01.103823900 CEST	19829	23	192.168.2.23	250.83.50.223
Aug 6, 2022 07:41:01.103841066 CEST	19829	23	192.168.2.23	141.191.30.241
Aug 6, 2022 07:41:01.103854895 CEST	19829	23	192.168.2.23	177.61.206.106
Aug 6, 2022 07:41:01.103871107 CEST	19829	23	192.168.2.23	126.231.7.36
Aug 6, 2022 07:41:01.103890896 CEST	19829	23	192.168.2.23	222.21.186.251
Aug 6, 2022 07:41:01.103923082 CEST	19829	23	192.168.2.23	166.252.138.130
Aug 6, 2022 07:41:01.103928089 CEST	19829	23	192.168.2.23	98.238.12.183
Aug 6, 2022 07:41:01.103962898 CEST	19829	23	192.168.2.23	95.108.120.160
Aug 6, 2022 07:41:01.103971004 CEST	19829	23	192.168.2.23	240.255.179.116
Aug 6, 2022 07:41:01.103979111 CEST	19829	23	192.168.2.23	249.120.204.216
Aug 6, 2022 07:41:01.104021072 CEST	19829	23	192.168.2.23	41.138.204.216
Aug 6, 2022 07:41:01.104024887 CEST	19829	23	192.168.2.23	75.107.174.19
Aug 6, 2022 07:41:01.104043961 CEST	19829	23	192.168.2.23	189.91.61.212
Aug 6, 2022 07:41:01.104046106 CEST	19829	23	192.168.2.23	115.73.228.45
Aug 6, 2022 07:41:01.104048014 CEST	19829	23	192.168.2.23	82.191.215.119
Aug 6, 2022 07:41:01.104063034 CEST	19829	23	192.168.2.23	184.159.13.165
Aug 6, 2022 07:41:01.104074001 CEST	19829	23	192.168.2.23	126.190.15.28
Aug 6, 2022 07:41:01.104077101 CEST	19829	23	192.168.2.23	248.223.149.35
Aug 6, 2022 07:41:01.104110956 CEST	19829	23	192.168.2.23	4.206.204.188
Aug 6, 2022 07:41:01.104110956 CEST	19829	23	192.168.2.23	133.39.93.48
Aug 6, 2022 07:41:01.106878996 CEST	19829	23	192.168.2.23	177.48.146.134
Aug 6, 2022 07:41:01.106899023 CEST	19829	23	192.168.2.23	123.82.105.240
Aug 6, 2022 07:41:01.106916904 CEST	19829	23	192.168.2.23	177.100.147.184
Aug 6, 2022 07:41:01.106966972 CEST	19829	23	192.168.2.23	221.183.42.104
Aug 6, 2022 07:41:01.106976032 CEST	19829	23	192.168.2.23	100.239.35.51
Aug 6, 2022 07:41:01.106993914 CEST	19829	23	192.168.2.23	109.109.217.148
Aug 6, 2022 07:41:01.107219934 CEST	19829	23	192.168.2.23	147.46.7.29
Aug 6, 2022 07:41:01.107238054 CEST	19829	23	192.168.2.23	19.182.69.252
Aug 6, 2022 07:41:01.107261896 CEST	19829	23	192.168.2.23	175.179.188.108
Aug 6, 2022 07:41:01.107264996 CEST	19829	23	192.168.2.23	197.64.15.194
Aug 6, 2022 07:41:01.107275963 CEST	19829	23	192.168.2.23	244.76.15.159
Aug 6, 2022 07:41:01.107322931 CEST	19829	23	192.168.2.23	157.40.84.172
Aug 6, 2022 07:41:01.107327938 CEST	19829	23	192.168.2.23	46.139.16.91
Aug 6, 2022 07:41:01.107405901 CEST	19829	23	192.168.2.23	162.123.0.149
Aug 6, 2022 07:41:01.107409954 CEST	19829	23	192.168.2.23	146.198.116.26
Aug 6, 2022 07:41:01.107414961 CEST	19829	23	192.168.2.23	187.147.126.255
Aug 6, 2022 07:41:01.107422113 CEST	19829	23	192.168.2.23	39.186.101.110
Aug 6, 2022 07:41:01.107425928 CEST	19829	23	192.168.2.23	1.81.93.150
Aug 6, 2022 07:41:01.107429028 CEST	19829	23	192.168.2.23	73.1.136.94
Aug 6, 2022 07:41:01.107436895 CEST	19829	23	192.168.2.23	99.169.154.28
Aug 6, 2022 07:41:01.107446909 CEST	19829	23	192.168.2.23	246.223.99.7
Aug 6, 2022 07:41:01.107456923 CEST	19829	23	192.168.2.23	115.78.215.149
Aug 6, 2022 07:41:01.107459068 CEST	19829	23	192.168.2.23	122.5.67.205
Aug 6, 2022 07:41:01.107459068 CEST	19829	23	192.168.2.23	240.59.195.253
Aug 6, 2022 07:41:01.107470989 CEST	19829	23	192.168.2.23	217.240.213.92
Aug 6, 2022 07:41:01.107475042 CEST	19829	23	192.168.2.23	73.36.212.140
Aug 6, 2022 07:41:01.107496023 CEST	19829	23	192.168.2.23	190.79.228.144
Aug 6, 2022 07:41:01.107532024 CEST	19829	23	192.168.2.23	186.255.243.188
Aug 6, 2022 07:41:01.107553959 CEST	19829	23	192.168.2.23	54.106.117.18
Aug 6, 2022 07:41:01.107580900 CEST	19829	23	192.168.2.23	174.208.184.140
Aug 6, 2022 07:41:01.107646942 CEST	19829	23	192.168.2.23	66.10.68.68
Aug 6, 2022 07:41:01.107686043 CEST	19829	23	192.168.2.23	164.119.22.171
Aug 6, 2022 07:41:01.107686996 CEST	19829	23	192.168.2.23	211.18.200.93
Aug 6, 2022 07:41:01.107700109 CEST	19829	23	192.168.2.23	65.101.227.169
Aug 6, 2022 07:41:01.107712030 CEST	19829	23	192.168.2.23	252.191.215.253

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 6, 2022 07:41:01.116614103 CEST	192.168.2.23	8.8.8.8	0xdb08	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:41:09.165544033 CEST	192.168.2.23	8.8.8.8	0xbb1e	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:41:12.213207960 CEST	192.168.2.23	8.8.8.8	0xe192	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:41:21.259176970 CEST	192.168.2.23	8.8.8.8	0x770f	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:41:25.307424068 CEST	192.168.2.23	8.8.8.8	0xf37b	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:41:32.422629118 CEST	192.168.2.23	8.8.8.8	0x5c25	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:41:41.507055998 CEST	192.168.2.23	8.8.8.8	0xc3eb	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:41:50.554505110 CEST	192.168.2.23	8.8.8.8	0xe50d	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:41:52.602288961 CEST	192.168.2.23	8.8.8.8	0xdb3f	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:42:01.654665947 CEST	192.168.2.23	8.8.8.8	0x3446	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:42:09.704438925 CEST	192.168.2.23	8.8.8.8	0xacc5	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:42:11.751385927 CEST	192.168.2.23	8.8.8.8	0x38cd	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:42:17.802405119 CEST	192.168.2.23	8.8.8.8	0x8340	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:42:20.852332115 CEST	192.168.2.23	8.8.8.8	0xc617	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:42:28.902182102 CEST	192.168.2.23	8.8.8.8	0xc2a8	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:42:33.952630997 CEST	192.168.2.23	8.8.8.8	0x2d8b	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:42:41.004432917 CEST	192.168.2.23	8.8.8.8	0x6751	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:42:47.074788094 CEST	192.168.2.23	8.8.8.8	0x4c77	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:42:56.123281002 CEST	192.168.2.23	8.8.8.8	0xe9cb	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:43:04.171331882 CEST	192.168.2.23	8.8.8.8	0x8817	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:43:11.220374107 CEST	192.168.2.23	8.8.8.8	0x72c2	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:43:12.270960093 CEST	192.168.2.23	8.8.8.8	0xf4e5	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:43:22.319828987 CEST	192.168.2.23	8.8.8.8	0xa83d	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:43:26.370374918 CEST	192.168.2.23	8.8.8.8	0xb9ae	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:43:36.420439959 CEST	192.168.2.23	8.8.8.8	0x9b73	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:43:42.501266003 CEST	192.168.2.23	8.8.8.8	0xfffa	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:43:48.786597013 CEST	192.168.2.23	8.8.8.8	0xdb08	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:43:51.552239895 CEST	192.168.2.23	8.8.8.8	0xc97a	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:43:54.600958109 CEST	192.168.2.23	8.8.8.8	0x91c0	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:43:56.834305048 CEST	192.168.2.23	8.8.8.8	0xbb1e	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:43:59.882426023 CEST	192.168.2.23	8.8.8.8	0xe192	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:44:03.662785053 CEST	192.168.2.23	8.8.8.8	0xbc06	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:44:04.711616039 CEST	192.168.2.23	8.8.8.8	0xabc1	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:44:08.928091049 CEST	192.168.2.23	8.8.8.8	0x770f	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:44:13.022116899 CEST	192.168.2.23	8.8.8.8	0xf37b	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:44:14.806247950 CEST	192.168.2.23	8.8.8.8	0xd163	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:44:15.852396965 CEST	192.168.2.23	8.8.8.8	0x4dfc	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:44:17.901329041 CEST	192.168.2.23	8.8.8.8	0x4e79	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:44:20.114877939 CEST	192.168.2.23	8.8.8.8	0x5c25	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:44:27.949146986 CEST	192.168.2.23	8.8.8.8	0xb943	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:44:28.997534037 CEST	192.168.2.23	8.8.8.8	0xee1b	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)
Aug 6, 2022 07:44:29.172676086 CEST	192.168.2.23	8.8.8.8	0xc3eb	Standard query (0)	arcticboatz.cz	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Aug 6, 2022 07:41:01.135778904 CEST	8.8.8.8	192.168.2.23	0xdb08	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:41:09.183168888 CEST	8.8.8.8	192.168.2.23	0xbb1e	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:41:12.230926037 CEST	8.8.8.8	192.168.2.23	0xe192	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:41:21.278891087 CEST	8.8.8.8	192.168.2.23	0x770f	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:41:25.325009108 CEST	8.8.8.8	192.168.2.23	0xf37b	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:41:32.442219019 CEST	8.8.8.8	192.168.2.23	0x5c25	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:41:41.524699926 CEST	8.8.8.8	192.168.2.23	0xc3eb	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:41:50.571964979 CEST	8.8.8.8	192.168.2.23	0xe50d	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:41:52.621741056 CEST	8.8.8.8	192.168.2.23	0xdb3f	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:42:01.674204111 CEST	8.8.8.8	192.168.2.23	0x3446	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:42:09.722086906 CEST	8.8.8.8	192.168.2.23	0xacc5	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:42:11.770395041 CEST	8.8.8.8	192.168.2.23	0x38cd	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:42:17.821860075 CEST	8.8.8.8	192.168.2.23	0x8340	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:42:20.871762037 CEST	8.8.8.8	192.168.2.23	0xc617	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:42:28.921660900 CEST	8.8.8.8	192.168.2.23	0xc2a8	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:42:33.972543001 CEST	8.8.8.8	192.168.2.23	0x2d8b	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:42:41.024063110 CEST	8.8.8.8	192.168.2.23	0x6751	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:42:47.094512939 CEST	8.8.8.8	192.168.2.23	0x4c77	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:42:56.140731096 CEST	8.8.8.8	192.168.2.23	0xe9cb	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:43:04.190247059 CEST	8.8.8.8	192.168.2.23	0x8817	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:43:11.240196943 CEST	8.8.8.8	192.168.2.23	0x72c2	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:43:12.290678978 CEST	8.8.8.8	192.168.2.23	0xf4e5	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:43:22.339315891 CEST	8.8.8.8	192.168.2.23	0xa83d	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:43:26.389827967 CEST	8.8.8.8	192.168.2.23	0xb9ae	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:43:36.472057104 CEST	8.8.8.8	192.168.2.23	0x9b73	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:43:42.520622969 CEST	8.8.8.8	192.168.2.23	0xfffa	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:43:48.804306030 CEST	8.8.8.8	192.168.2.23	0xdb08	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:43:51.571899891 CEST	8.8.8.8	192.168.2.23	0xc97a	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:43:54.620553970 CEST	8.8.8.8	192.168.2.23	0x91c0	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:43:56.853245020 CEST	8.8.8.8	192.168.2.23	0xbb1e	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:43:59.899748087 CEST	8.8.8.8	192.168.2.23	0xe192	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:44:03.682626963 CEST	8.8.8.8	192.168.2.23	0xbc06	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:44:04.731012106 CEST	8.8.8.8	192.168.2.23	0xabc1	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:44:08.947515965 CEST	8.8.8.8	192.168.2.23	0x770f	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:44:13.041237116 CEST	8.8.8.8	192.168.2.23	0xf37b	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:44:14.823204994 CEST	8.8.8.8	192.168.2.23	0xd163	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:44:15.871874094 CEST	8.8.8.8	192.168.2.23	0x4dfc	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:44:17.920802116 CEST	8.8.8.8	192.168.2.23	0x4e79	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:44:20.132091045 CEST	8.8.8.8	192.168.2.23	0x5c25	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:44:27.968497038 CEST	8.8.8.8	192.168.2.23	0xb943	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:44:29.015249014 CEST	8.8.8.8	192.168.2.23	0xee1b	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)
Aug 6, 2022 07:44:29.192786932 CEST	8.8.8.8	192.168.2.23	0xc3eb	No error (0)	arcticboatz.cz	46.23.109.40	A (IP address)	IN (0x0001)

System Behavior

Analysis Process: H9NSZqE1YV PID: 6232, Parent PID: 6124

General

Start time:	07:41:00
Start date:	06/08/2022
Path:	/tmp/H9NSZqE1YV
Arguments:	/tmp/H9NSZqE1YV
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Analysis Process: H9NSZqE1YV PID: 6234, Parent PID: 6232

General

Start time:	07:41:00
Start date:	06/08/2022
Path:	/tmp/H9NSZqE1YV
Arguments:	n/a
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Analysis Process: H9NSZqE1YV PID: 6235, Parent PID: 6232

General

Start time:	07:41:00
Start date:	06/08/2022
Path:	/tmp/H9NSZqE1YV
Arguments:	n/a
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Analysis Process: H9NSZqE1YV PID: 6237, Parent PID: 6232

General

Start time:	07:41:00
Start date:	06/08/2022
Path:	/tmp/H9NSZqE1YV
Arguments:	n/a
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Analysis Process: H9NSZqE1YV PID: 6239, Parent PID: 6232

General

Start time:	07:41:00
Start date:	06/08/2022
Path:	/tmp/H9NSZqE1YV
Arguments:	n/a
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Analysis Process: H9NSZqE1YV PID: 6242, Parent PID: 6239

General

Start time:	07:41:00
Start date:	06/08/2022
Path:	/tmp/H9NSZqE1YV
Arguments:	n/a
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Analysis Process: H9NSZqE1YV PID: 6331, Parent PID: 6242

General

Start time:	07:43:48
Start date:	06/08/2022
Path:	/tmp/H9NSZqE1YV
Arguments:	n/a
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Analysis Process: H9NSZqE1YV PID: 6244, Parent PID: 6239

General

Start time:	07:41:00
Start date:	06/08/2022
Path:	/tmp/H9NSZqE1YV
Arguments:	n/a
File size:	5388968 bytes
MD5 hash:	ae65271c943d3451b7f026d1fadccea6

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report H9NSZqE1YV

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Memory Dumps

Snort Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: H9NSZqE1YV PID: 6232, Parent PID: 6124

General

Analysis Process: H9NSZqE1YV PID: 6234, Parent PID: 6232

General

Analysis Process: H9NSZqE1YV PID: 6235, Parent PID: 6232

General

Analysis Process: H9NSZqE1YV PID: 6237, Parent PID: 6232

General

Analysis Process: H9NSZqE1YV PID: 6239, Parent PID: 6232

General

Analysis Process: H9NSZqE1YV PID: 6242, Parent PID: 6239

General

Analysis Process: H9NSZqE1YV PID: 6331, Parent PID: 6242

General

Analysis Process: H9NSZqE1YV PID: 6244, Parent PID: 6239

General

Linux Analysis Report
H9NSZqE1YV